| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BLUPR13MB0289DF5EA12E2D27D7908CF7DFD10@BLUPR13MB0289.namprd13.prod.outlook.com>
Date: Wed, 28 Nov 2018 06:16:10 +0000
From: Yueyi Li <liyueyi@...e.com>
To: Willy Tarreau <w@....eu>
CC: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"donb@...uritymouse.com" <donb@...uritymouse.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] lzo: fix ip overrun during compress.
Hi Willy,
On 2018/11/28 12:08, Willy Tarreau wrote:
> Hi Yueyi,
>
> On Tue, Nov 27, 2018 at 10:34:26AM +0000, Yueyi Li wrote:
>> It`s possible ip overrun in lzo1x_1_do_compress() when compressed page is
>> point to the end of memory and which virtual address is 0xfffffffffffff000.
>> Leading to a NULL pointer access during the get_unaligned_le32(ip).
> Thanks for this report.
>
> (...)
>> diff --git a/lib/lzo/lzo1x_compress.c b/lib/lzo/lzo1x_compress.c
>> index 236eb21..a0265a6 100644
>> --- a/lib/lzo/lzo1x_compress.c
>> +++ b/lib/lzo/lzo1x_compress.c
>> @@ -17,6 +17,9 @@
>> #include <linux/lzo.h>
>> #include "lzodefs.h"
>>
>> +#define OVERFLOW_ADD_CHECK(a, b) \
>> + ((size_t)~0 - (size_t)(a) < (size_t)(b) ? true : false)
>> +
> I think the test would be easier to grasp this way :
>
> #define OVERFLOW_ADD_CHECK(a, b) \
> ((size_t)(b) >= (size_t)((void*)0 - (void *)(a)))
>
> But the following should be more efficient since we build with
> -fno-strict-overflow :
>
> #define OVERFLOW_ADD_CHECK(a, b) \
> (((a) + (b)) < (a))
Thanks for the suggestion, I will change it in next version.
> Could you please recheck ?
>
> Thanks,
> Willy
Thanks,
Yueyi
Powered by blists - more mailing lists